HIGH 7.5

CVE-2026-8878: Securly Chrome Extension 3.0.7 Exposes Password Hashes via Weak Encryption

The Securly Chrome Extension version 3.0.7 contains a serious security flaw where multiple web endpoints can be accessed by anyone on the internet without authentication. These endpoints expose sensitive data in the form of SHA-1 password hashes. The hashes are protected only by a Caesar cipher—an extremely weak encryption method dating back centuries—making them trivial to decrypt. An attacker can recover the original hash values, which could then be used in further attacks or to compromise user accounts.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-326
Affected products
1 configuration(s)
Published / Modified
2026-06-03 / 2026-06-17

NVD description (verbatim)

Version 3.0.7 of the Securly Chrome Extension exposes multiple publicly accessible endpoints that allow unauthenticated access to sensitive data. The exposed information consists of SHA-1 hashes that are inadequately obfuscated using a simple Caesar cipher, which can be easily reversed to recover the original hash values and access the protected data.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-8878 identifies multiple unauthenticated endpoints in Securly Chrome Extension 3.0.7 that expose SHA-1 hashes inadequately protected by Caesar cipher obfuscation. The vulnerability maps to CWE-326 (Inadequate Encryption Strength), reflecting the use of a cryptographically broken cipher for sensitive data. The network-based attack vector (CVSS AV:N), zero privilege requirement (PR:N), and no user interaction needed (UI:N) means any remote, unauthenticated attacker can exploit this with basic HTTP requests. The impact is high confidentiality loss (C:H) without integrity or availability impact. The CVSS 3.1 score of 7.5 reflects the straightforward exploitability and direct exposure of authentication-related data.

Business impact

Organizations using Securly Chrome Extension 3.0.7 face direct exposure of credential material. SHA-1 hashes, even if salted, can be subjected to precomputation attacks and rainbow table lookups, especially for common passwords. The trivial reversibility of Caesar cipher obfuscation means defenders cannot rely on any meaningful security layer. Affected users may experience credential compromise, unauthorized access to accounts, or lateral movement by attackers who obtain these hashes. For enterprises managing Securly deployments, this creates liability around user data protection and potential breach notification obligations.

Affected systems

Securly Chrome Extension version 3.0.7 is the confirmed affected release. Users running this specific version on any system with the Chrome browser are at risk. Organizations that have deployed Securly as a content filtering or security monitoring solution across managed Chrome instances should identify and audit all systems running 3.0.7. Other versions of the Securly extension and other Securly products should be evaluated separately; however, the scope of this CVE is specific to the Chrome Extension at 3.0.7.

Exploitability

Exploitation is trivial. An attacker requires only network access and basic knowledge of HTTP requests; no authentication, special tools, or user interaction is needed. Discovering the vulnerable endpoints may require reconnaissance, but the Caesar cipher obfuscation provides virtually no barrier once an endpoint is identified. An attacker can programmatically decrypt the hashes with minimal computational effort. The lack of authentication, rate limiting, or CORS restrictions (implied by the public accessibility) means this can be done at scale. This vulnerability is straightforward to exploit without any sophisticated techniques.

Remediation

Securly should issue an immediate patch to version 3.0.7 that restricts access to sensitive endpoints via proper authentication and authorization controls, removes or strengthens hash obfuscation with industry-standard encryption (AES-256 or equivalent), and implements rate limiting and monitoring. Users must upgrade to a patched version as soon as it becomes available. Interim mitigations include restricting network access to the Chrome Extension's backend endpoints via firewall rules or proxy policies if the deployment architecture allows it, and monitoring for suspicious access patterns to known sensitive endpoints.

Patch guidance

Monitor Securly's official security advisories and release notes for version updates following 3.0.7. Patches should be tested in a limited environment before full deployment to ensure compatibility with existing security policies and user workflows. Once a patched version is released, prioritize deployment to all affected systems. Verify against the vendor advisory that the patch addresses both the endpoint authentication issue and the weak obfuscation mechanism. Automated deployment via Chrome policy (chrome://policy) or mobile device management (MDM) solutions can accelerate rollout in enterprise environments.

Detection guidance

Audit systems running the Securly Chrome Extension to identify instances of version 3.0.7. Sensitive data exposure detection should focus on outbound HTTP requests from Chrome processes to Securly backend endpoints, particularly those returning SHA-1 hashes or other credential material. Monitor network traffic for unusual patterns of requests to known vulnerable endpoints. Log aggregation and SIEM tools can flag repeated or high-volume requests to these endpoints from a single user or system. Additionally, check for indicators such as base64-encoded or Caesar cipher–obfuscated data in transit. Organizations with DLP (Data Loss Prevention) tools should configure rules to flag exfiltration of hash values matching SHA-1 format.

Why prioritize this

This vulnerability merits immediate attention due to its high CVSS score (7.5), straightforward network exploitability, and direct exposure of credential material. The absence of complexity or authentication barriers means the barrier to exploitation is extremely low, and the impact—potential account compromise—is severe. The vulnerability is not currently tracked in CISA's Known Exploited Vulnerabilities (KEV) catalog, but the ease of exploitation and sensitivity of exposed data suggest rapid weaponization is likely. Organizations should treat this as a critical priority requiring urgent patching.

Risk score, explained

The CVSS 3.1 score of 7.5 (HIGH) reflects a network-accessible vulnerability with no authentication or user interaction required, resulting in high confidentiality impact. The score does not account for attack complexity or scope broadening, meaning it represents a realistic, commonly exploitable scenario. The underlying issue—weak encryption of sensitive data—is conceptually simple but consequential. The score appropriately captures that while integrity and availability are not directly impacted, the confidentiality breach of hashes poses significant downstream risk to user accounts and organizational security posture.

Frequently asked questions

Can the SHA-1 hashes be cracked offline once exposed?

Yes. SHA-1 hashes are cryptographically weak by modern standards, especially for common passwords. Once decrypted using the trivial Caesar cipher, the hashes can be targeted with precomputation attacks, rainbow tables, or brute-force methods. If the original passwords were weak or common, they can be recovered quickly. This is why exposure of even 'hashed' passwords is a serious incident.

How do I know if my organization uses Securly Chrome Extension 3.0.7?

Check the Chrome Extensions page (chrome://extensions/) and search for Securly. The version number is displayed next to the extension name. In enterprise environments, run a browser inventory scan or MDM report to identify all systems running the extension and their versions. If version 3.0.7 is found, treat those systems as at-risk and prioritize patching.

What if we can't patch immediately?

Implement interim controls: restrict network access to Securly's backend domains via firewall rules or proxy, disable the extension on high-risk systems if operationally feasible, monitor outbound traffic for suspicious patterns, and monitor Securly's advisories closely for patch availability. These are temporary measures and should not delay patching once a fix is released.

Why use Caesar cipher for protecting hashes at all?

Caesar cipher is not encryption in the security sense and should never be used for protecting sensitive data. It appears the developer may have confused obfuscation with security. This highlights the importance of security code review and using established, vetted cryptographic libraries rather than custom implementations.

This analysis is based on the CVE record published 2026-06-03 and last modified 2026-06-17. Readers must verify patch availability and affected version applicability directly with Securly's official security advisories before implementing remediations. SEC.co does not provide warranties regarding the completeness or accuracy of this analysis for any organization's specific environment. Testing all patches in a controlled environment before production deployment is mandatory. For confirmed incidents or active exploitation, engage incident response professionals and notify law enforcement if warranted. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).